Business Security and Fraud Prevention
The internet and other technologies are powerful tools for businesses of all types and sizes. But despite their many uses and advantages, they can also pose many threats.
Below are security best practices from the FTC that you should consider implementing for your business if you haven’t already.
Train employees in security principles
Establish basic security practices and policies for employees, such as requiring strong passwords, and establish appropriate Internet use guidelines that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.
Protect information, computers, and networks from cyber attacks
Keep clean machines: having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available.
Provide firewall security for your Internet connection
A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system’s firewall is enabled or install firewall software. If employees work from home, ensure that their home system(s) are secure.
Keep your software updated
Make sure you are on the current version of whatever operating system you run so you stay up to date on the latest security patches. Companies like Microsoft and Apple are continually finding and patching new vulnerabilities.
Create a mobile device action plan
Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password-protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information. Be sure to set reporting procedures for lost or stolen equipment.
Make backup copies of important business data and information
Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies in a secure manner.
Control physical access to your computers and create user accounts for each employee
Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.
Secure your Wi-Fi networks
If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.
Limit employee access to data and information, limit authority to install software
Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.
Passwords and authentication
Require employees to use unique passwords and change passwords regularly. Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data to see if they offer multi-factor authentication for your account.
Additional Resources
Common Types of Scams
Phishing is a deceptive cyber-attack technique used by malicious actors to trick individuals into divulging sensitive information such as passwords, credit card numbers, or personal details.
Typically, phishing attempts are carried out through fraudulent emails, messages, or websites that appear legitimate, often mimicking trusted sources like banks, social media platforms, or online services. These messages often induce urgency or fear, compelling recipients to act quickly without verifying the authenticity of the request. Once a victim falls prey and divulges their information, it can be exploited for identity theft, financial fraud, or unauthorized access to sensitive accounts.
To combat phishing, awareness and vigilance are paramount. Individuals should scrutinize incoming emails and messages for signs of phishing, such as unfamiliar senders, unusual requests for personal information, or grammatical errors. Hovering over links before clicking to check their destination, rather than relying solely on embedded text, can also prevent falling victim to phishing links disguised as legitimate URLs.
By staying informed and cautious, you can mitigate the risks posed by phishing attacks and safeguard sensitive information effectively.
Smishing (a combination of “SMS” and “phishing”) refers to a cyber-attack where fraudsters use text messages (SMS) to deceive recipients into divulging sensitive information or clicking on malicious links. These messages often appear to come from legitimate sources like banks, government agencies, or well-known companies, prompting recipients to take urgent action.
Smishing exploits the immediacy and trust associated with text messages, tricking individuals into providing personal details such as passwords, credit card numbers, or login credentials. Sometimes, smishing messages contain links that, when clicked, lead to fake websites designed to capture sensitive information or install malware on the recipient’s device.
To protect against smishing, individuals should exercise caution when receiving unsolicited text messages, especially those that request immediate action or contain alarming statements. Avoid clicking on links or providing personal information unless you can verify the sender’s identity through an independent channel, such as calling the official customer service number listed on the organization’s website.
Fraudsters often pretend to be someone else to scare you or earn your trust. They can then try to persuade you to share personal information or send them money. Imposter scams can start with a phone call, text, email, direct message online or even in person.
Fraudsters may pretend to be from the Government, IRS, police, a charity, or a well-known company whose products you use (Microsoft, Apple, etc.)
When presented with a questionable communication, it’s best to look up the organization the person claims to be from and contact them directly yourself. Any legitimate customer service employee or government agent will appreciate that you’re trying to be careful.
Cryptocurrency, with its promise of decentralized finance and digital wealth, has captured the attention of millions of investors worldwide. However, its rapid growth and the complexity of blockchain technology have also made it a prime target for scammers.
Crypto scams can take many forms, including fake currency offerings, fraudulent crypto apps/wallets, and any sort of offer that requires you to transfer cryptocurrency to verify yourself with the promise of a greater return.
Be sure to do your research before investing in any cryptocurrency. Avoid sharing any sensitive information and find multiple sources to verify what you are investing in and who you are investing with. Be particularly skeptical of unsolicited offers and anything that seems too good to be true.
Scammers commonly contact you directly and say that you’ve won a prize of some sort. They could ask for your personal information (Social Security number, etc.) claiming that they need it to send you the winnings.
Likewise, they might claim that you need to send them a payment to cover additional costs (such as taxes or shipping) in order to claim your prize. They’ll ask for your bank or credit card information or ask you to wire them the money ‘So they can release your prize to you.’ Of course, there is no prize, and they take the money and run.
If you don’t remember entering a drawing or lottery, you more than likely didn’t win anything. It’s usually best to ignore messages about any sort of prizes or winnings, especially if they ask you for personal information or payment.